Server Management - Systems Insight Manager
cancel
Showing results for 
Search instead for 
Did you mean: 

wbem-wmi hp sim port

Fabio Besana
Occasional Visitor

wbem-wmi hp sim port

Hi, i had a problem with wbem port. I want receive wbem events from windows server, but there is a firewall and i have to know which ports by open. In HP SIM documentation i see that ports by open are 5989 from CMS to Agent, 50004 from Agent to CMS and 50005 to CMS, but i think there is some dynamic port because only these port aren't enough.
Have you some idea ?

Thanks
Fabio
18 REPLIES
cez
Advisor

Re: wbem-wmi hp sim port

Hi Fabio,

Have you ever figured what ports to open?

Our windows servers inside corporate were fine sending WBEM events to SIM server. However the ones behind the firewall were not working. We have tried many different ports according to documentation unsuccessfully. We also have called HP tech support and have it escalated but so far they are of no help. It seems like WBEM uses some random ports. The document mentioned about WMI Wrapper and also fault via SNMP or SMTP mail only. Have you looked at those? Were you able to get it working? Please share your findings.

Regards,
Cez
Jeramy
Advisor

Re: wbem-wmi hp sim port

I am in the same situation, the documentation appears to be just plain wrong. If i open the TCP ports described in the documentation, i cannot get the WBEM events, however if i disable the firewall, i get them just fine.
David Claypool
Honored Contributor

Re: wbem-wmi hp sim port

Don't confuse WBEM and WMI. While WMI is Windows' implementation of WBEM, it uses DCOM as a transport and operates on dynamically-allocated ports.

See page 11 of "Managing HP servers through firewalls with Insight Software 6.0 or greater" from http://www.hp.com/go/hpsim --> Information Library. It indicates a best practice (although doesn't explain why) of placing an instance of the WMI Mapper inside a firewalled network so that HP SIM's native WBEM communications over port 5989 can be maintained (this extends to potentially installing the WMI Mapper on each and every system if a system firewall is in place).

Alternatively, since installing the mapper on every system may be impractical and inefficient, MSDN has several articles on setting up WMI for remote access through firewalls, including how to set up a fixed port: http://www.google.com/search?q=wmi+firewall+site:microsoft.com
Jeramy
Advisor

Re: wbem-wmi hp sim port

I have the WBEM agent installed on the remote host. And should be sending WBEM events.
When you configure the agents
"Configuring WBEM enables you to configure a target Linux, Windows, or HP-UX system to send WBEM indications or events to Systems Insight Manager."

So..WBEM is not sending the events over the right port.
David Claypool
Honored Contributor

Re: wbem-wmi hp sim port

What OS is the target running? If it is Windows, then the protocol is WMI.
Jeramy
Advisor

Re: wbem-wmi hp sim port

didn't meant to hijack your thread Fabio.
Yes the server is windows 2k8 R2 Sp1. and the WBEM agent is installed. If its using WMI, whats the point of having a configurable WBEM agent?
SMH is also using WBEM.
cez
Advisor

Re: wbem-wmi hp sim port

Hi David,

I've setup WMI wrapper on the managed node which is behind the firewall but still couldn't get it to work. The managed nodes are Windows Server 2003. All I need is to get the WBEM events when something's wrong with the HP hardware.

Have you setup and got this to work before? Can you please elaborate on the setup?

Thanks,
Cez
David Claypool
Honored Contributor

Re: wbem-wmi hp sim port

After you set up the WMI Mapper on the managed node, did you open port 5989 in the firewall and configure the location of the WMI Mapper in HP SIM's protocol settings so it could be found? It's all pretty simple. Just need to make sure everyone can see each other. No magic involved.
Jeramy
Advisor

Re: wbem-wmi hp sim port

I just did the same thing that cez did, setup the wmi mapper proxy on managed nodes. during the setup it asks what port, specified the 5989.
in SIM added the server to the global protocal settings, and the port.
went to the managed nodes SMH , to send a test message, it does not arrive on the SIM server , if i disable the firewall it goes through, wireshark shows it coming through on ports 51912, 62879,62878 etc.
so its still using WMI, and not the mapper, or the WBEM agent
cez
Advisor

Re: wbem-wmi hp sim port

To answer David's question, the networking team did open port 5989. I configured the WMI Mapper in SIM.

Below was the log from the firewall.

Apr 21 12:03:24 IH-Back %FWSM-4-106023: Deny tcp src web:10.46.200.82/2405 dst inside:192.168.67.214/135 by access-group "acl-web-in" [0x0, 0x0]
Apr 21 12:03:24 IH-Back %FWSM-4-106023: Deny tcp src web:10.46.200.82/2406 dst inside:192.168.67.214/135 by access-group "acl-web-in" [0x0, 0x0]
Apr 21 12:03:27 IH-Back %FWSM-4-106023: Deny tcp src web:10.46.200.82/2405 dst inside:192.168.67.214/135 by access-group "acl-web-in" [0x0, 0x0]
Apr 21 12:03:27 IH-Back %FWSM-4-106023: Deny tcp src web:10.46.200.82/2406 dst inside:192.168.67.214/135 by access-group "acl-web-in" [0x0, 0x0]
Apr 21 12:03:45 IH-Back %FWSM-4-106023: Deny tcp src web:10.46.200.82/2411 dst inside:192.168.67.214/135 by access-group "acl-web-in" [0x0, 0x0]
Apr 21 12:03:48 IH-Back %FWSM-4-106023: Deny tcp src web:10.46.200.82/2411 dst inside:192.168.67.214/135 by access-group "acl-web-in" [0x0, 0x0]
Apr 21 12:03:48 IH-Back %FWSM-4-106023: Deny tcp src web:10.46.200.82/2412 dst inside:192.168.67.214/135 by access-group "acl-web-in" [0x0, 0x0]
Apr 21 12:03:54 IH-Back %FWSM-4-106023: Deny tcp src web:10.46.200.82/2411 dst inside:192.168.67.214/135 by access-group "acl-web-in" [0x0, 0x0]
Apr 21 12:03:54 IH-Back %FWSM-4-106023: Deny tcp src web:10.46.200.82/2412 dst inside:192.168.67.214/135 by access-group "acl-web-in" [0x0, 0x0]
Apr 21 12:04:37 IH-Back %FWSM-4-106023: Deny tcp src web:10.46.200.82/2420 dst inside:192.168.67.214/135 by access-group "acl-web-in" [0x0, 0x0]
Apr 21 12:04:37 IH-Back %FWSM-4-106023: Deny tcp src web:10.46.200.82/2421 dst inside:192.168.67.214/135 by access-group "acl-web-in" [0x0, 0x0]
Apr 21 12:04:39 IH-Back %FWSM-4-106023: Deny tcp src web:10.46.200.82/2420 dst inside:192.168.67.214/135 by access-group "acl-web-in" [0x0, 0x0]
Apr 21 12:04:39 IH-Back %FWSM-4-106023: Deny tcp src web:10.46.200.82/2421 dst inside:192.168.67.214/135 by access-group "acl-web-in" [0x0, 0x0]
Apr 21 12:04:45 IH-Back %FWSM-4-106023: Deny tcp src web:10.46.200.82/2420 dst inside:192.168.67.214/135 by access-group "acl-web-in" [0x0, 0x0]
Apr 21 12:04:45 IH-Back %FWSM-4-106023: Deny tcp src web:10.46.200.82/2421 dst inside:192.168.67.214/135 by access-group "acl-web-in" [0x0, 0x0]
Apr 21 12:04:57 IH-Back %FWSM-4-106023: Deny tcp src web:10.46.200.82/2424 dst inside:192.168.67.214/135 by access-group "acl-web-in" [0x0, 0x0]
Apr 21 12:04:58 IH-Back %FWSM-4-106023: Deny tcp src web:10.46.200.82/2425 dst inside:192.168.67.214/135 by access-group "acl-web-in" [0x0, 0x0]
Apr 21 12:05:06 IH-Back %FWSM-4-106023: Deny tcp src web:10.46.200.82/2424 dst inside:192.168.67.214/135 by access-group "acl-web-in" [0x0, 0x0]
Apr 21 12:05:06 IH-Back %FWSM-4-106023: Deny tcp src web:10.46.200.82/2425 dst inside:192.168.67.214/135 by access-group "acl-web-in" [0x0, 0x0]
Apr 21 12:07:50 IH-Back %FWSM-6-302013: Built outbound TCP connection 145673097495364418 for inside:192.168.67.214/2275 (192.168.67.214/2275) to web:10.46.200.82/5989 (10.46.200.82/5989)
Apr 21 12:07:56 IH-Back %FWSM-6-302014: Teardown TCP connection 145673097495364418 for inside:192.168.67.214/2275 to web:10.46.200.82/5989 duration 0:00:06 bytes 10424 TCP FINs

10.46.200.82 is the managed node behind the firewall.

192.168.67.214 is the SIM server.

Thanks!
Cez
Jeramy
Advisor

Re: wbem-wmi hp sim port

OK finally got some answers.
Windows servers will always use WMI (unless you configure SNMP).

The WBEM "Agent / Providers" are not WBEM, they are an extension of the existing WMI CIM Schema.

If they would have just stated that they are extending the WMI CIM Schema, this would have saved allot of time and headachs.

The only way to get this to go through a single port is to change the setting on the windows server to forward WMI Events (NOT WBEM Events, BECAUSE IT DOESN'T EXIST ON WINDOWS) events to the WMI Mapper, so it can turn it into the WBEM protocol that the SIM server understands.

Please people at HP, pull your heads out of your wikipeda, and fix your documentation calling WMI, WBEM, when its clearly NOT WBEM, its WMI.

cez
Advisor

Re: wbem-wmi hp sim port

Hi Jeremy,

How do we configure Windows to forward WMI events to the WMI Mapper? Do you have any documentation or know how in doing so?

Thanks,
Cez
Jeramy
Advisor

Re: wbem-wmi hp sim port

I haven't gotten that far yet, here is one doc
http://msdn.microsoft.com/en-us/library/bb219447%28v=vs.85%29.aspx

I believe its going to require port 135 (DCOM) and another port for actual communication.


Ill let you know when i finish testing.
David Claypool
Honored Contributor

Re: wbem-wmi hp sim port

The model that is used for WMI Indications is the opposite of that for SNMP (where you configure the trap destination on the target's SNMP service). WMI Indications use a subscription model whereby your management application 'subscribes' to the device. This is done through 'Manage Communications' in HP SIM. When you do that, it will establish the path through the requisite WMI Mapper to route communications to the HP SIM CMS.
Jeramy
Advisor

Re: wbem-wmi hp sim port

its not looking good.

http://social.technet.microsoft.com/Forums/en-US/winserverManagement/thread/c2ca4979-165a-4bb9-903c-e23f6a35dbf1/


if this is correct it means HP's secure sytem requires you to degrade security by opening a crapload of ports.
cez
Advisor

Re: wbem-wmi hp sim port

I think the commands in "Setting Up a Fixed Port for WMI" document is for Windows firewall. We don't use Windows firewall in our Windows Server 2003 servers and have have disabled it so it doesn't apply here. The Windows servers are behind the Cisco's firewalls.

All we do here is to refer to the HP documentation, and seems like nobody has gotten this to work yet. I wonder if someone from HP can actually do some testing, confirm this actually works and document it instead of just refer to the documentation all the time? Thanks.
Rene Nascimento
Frequent Advisor

Re: wbem-wmi hp sim port

Do we have a definitive solution to get WBEM functioning through a non-windows firewall? I'm looking to solution this now. Thanks in advance.

Tushar Bajpai
Trusted Contributor

Re: wbem-wmi hp sim port

That's correct. It depends where is the WMI Mapper is installed.

 

1) If the WMI Mapper is installed on the tagrget node (managed node), then opening of the above ports in the firewall will solve the issue.

 

2) If WMI Mapper acts as an proxy (Remote) or installed on the CMS the communication between the CMS and Target node will be on Dynamic Ports (as that is COM-DCOM call).

 

Thanks 

\Tushar

if it helped, award me Kudos or Points. Thanks :)

\T Bajpai
HP Employee